steps towards a completely managed cluster

.gitignore

@@ -1,2 +1,6 @@
+# Kubernetes secrets
 *.secret.yaml
-charts/
+main.key
+
+# Helm Chart files
+charts/

README.md

@@ -1,7 +1,6 @@
 # Kluster setup and IaaC using argoCD
 
 
-
 ### Initial setup
 #### Requirements:
 - A running k3s instance
@@ -28,5 +27,21 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
     - immich
     - ...
 
+#### Recap
+- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
+    ```bash
+    kubectl apply -k infrastructure/sealedsecrets
+    kubectl apply -f infrastructure/sealedsecrets/main.key
+    kubectl delete pod -n kube-system -l name=sealed-secrets-controller
+    ```
+- install argocd
+    ```bash
+    kubectl apply -k infrastructure/argocd
+    ```
+- wait...
+
 
 ### Adding an application
+todo
+
+

apps/ocis/deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: ocis-statefulset
+spec:
+  selector:
+    matchLabels:
+      app: ocis
+  serviceName: ocis-web
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: ocis
+    spec:
+      containers:
+      - name: ocis
+        image: ocis
+        resources:
+          limits:
+            memory: "1Gi"
+            cpu: "1000m"
+        env:
+        - name: OCIS_INSECURE
+          value: "true"
+        - name: OCIS_URL
+          value: "https://ocis.kluster.moll.re"
+        - name: OCIS_LOG_LEVEL
+          value: "debug"
+        ports:
+        - containerPort: 9200
+        volumeMounts:
+        - name: ocis-config
+          mountPath: /etc/ocis
+        # - name: ocis-config-file
+        #   mountPath: /etc/ocis/config.yaml
+        - name: ocis-data
+          mountPath: /var/lib/ocis
+      volumes:
+      # - name: ocis-config
+      #   persistentVolumeClaim:
+      #     claimName: ocis-config
+      - name: ocis-config
+        secret:
+          secretName: ocis-config
+      - name: ocis-data
+        persistentVolumeClaim:
+          claimName: ocis-data

apps/ocis/ingress.yaml

@@ -0,0 +1,18 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ocis-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`ocis.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: ocis-web
+      port: 9200
+      scheme: https
+
+  tls:
+    certResolver: default-tls 

apps/ocis/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - ingress.yaml
+  - service.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - ocis-config.sealedsecret.yaml
+
+namespace: ocis
+
+images:
+  - name: ocis
+    newName: owncloud/ocis
+    newTag: "5.0"

apps/ocis/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/ocis/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: ocis-data
+spec:
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Gi

apps/ocis/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ocis-web
+spec:
+  selector:
+    app: ocis
+  ports:
+  - port: 9200
+    targetPort: 9200

infrastructure/external/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: external
+
+
+resources:
+  - omv-s3.ingress.yaml
+  - openmediavault.ingress.yaml
+  - proxmox.ingress.yaml

infrastructure/external/omv-s3.ingress.yaml

@@ -2,7 +2,6 @@ apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: omv-s3-ingressroute
-  namespace: external
 spec:
   entryPoints:
     - websecure
@@ -20,7 +19,6 @@ apiVersion: v1
 kind: Endpoints
 metadata:
   name: omv-s3
-  namespace: external
 subsets:
   - addresses:
       - ip: 192.168.1.157
@@ -31,7 +29,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: omv-s3
-  namespace: external
 spec:
   ports:
     - port: 9000

infrastructure/nfs/kustomization.yaml

@@ -3,8 +3,6 @@ kind: Kustomization
 
 namespace: nfs-provisioner
 
-bases:
-
 resources:
   - github.com/kubernetes-sigs/nfs-subdir-external-provisioner//deploy
   - namespace.yaml

infrastructure/sealedsecrets/README.md

@@ -0,0 +1,9 @@
+### Restoring sealed secrets
+```bash
+# install the sealed secrets controller
+kubectl kustomize . | kubectl apply -f -
+# restore the sealed secrets
+kubectl apply -f main.key
+# restart pod
+kubectl delete pod -n kube-system -l name=sealed-secrets-controller
+```

infrastructure/sealedsecrets/controller.yaml

@@ -6,7 +6,6 @@ metadata:
   labels:
     name: sealed-secrets-service-proxier
   name: sealed-secrets-service-proxier
-  namespace: kube-system
 rules:
 - apiGroups:
   - ""
@@ -35,7 +34,6 @@ metadata:
   labels:
     name: sealed-secrets-controller
   name: sealed-secrets-controller
-  namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -43,7 +41,6 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: sealed-secrets-controller
-  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -52,7 +49,6 @@ metadata:
   labels:
     name: sealed-secrets-key-admin
   name: sealed-secrets-key-admin
-  namespace: kube-system
 rules:
 - apiGroups:
   - ""
@@ -116,7 +112,6 @@ metadata:
   labels:
     name: sealed-secrets-service-proxier
   name: sealed-secrets-service-proxier
-  namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -133,7 +128,6 @@ metadata:
   labels:
     name: sealed-secrets-controller
   name: sealed-secrets-controller
-  namespace: kube-system
 spec:
   minReadySeconds: 30
   replicas: 1
@@ -157,7 +151,7 @@ spec:
         command:
         - controller
         env: []
-        image: docker.io/bitnami/sealed-secrets-controller:v0.23.1
+        image: controller
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -342,7 +336,6 @@ metadata:
   labels:
     name: sealed-secrets-controller
   name: sealed-secrets-controller
-  namespace: kube-system
 spec:
   ports:
   - port: 8080
@@ -365,7 +358,6 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: sealed-secrets-controller
-  namespace: kube-system
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -374,4 +366,3 @@ metadata:
   labels:
     name: sealed-secrets-controller
   name: sealed-secrets-controller
-  namespace: kube-system

infrastructure/sealedsecrets/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kube-system
+
+resources:
+  - controller.yaml
+
+images:
+  - name: controller
+    newName: docker.io/bitnami/sealed-secrets-controller
+    newTag: v0.23.1

kluster-deployments/external-services/application.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-application
+  namespace: argocd
+
+spec:
+  project: infrastructure
+  source:
+    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+    targetRevision: main
+    path: infrastructure/external
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: external
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/external-services/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- application.yaml

kluster-deployments/ocis/application.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ocis-application
+  namespace: argocd
+
+spec:
+  project: apps
+  source:
+    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
+    targetRevision: main
+    path: apps/ocis
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: ocis
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/ocis/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- application.yaml